CVE-2026-44240 Overview
CVE-2026-44240 is a denial of service vulnerability in basic-ftp, an FTP client library for Node.js. Versions prior to 5.3.1 fail to enforce a maximum size on FTP control-channel responses during multiline response parsing. A malicious or compromised FTP server can send an unterminated multiline response during the initial banner phase, before authentication occurs. The client appends attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the growing buffer. This causes unbounded memory and CPU consumption, classified as [CWE-400] Uncontrolled Resource Consumption.
Critical Impact
Applications using vulnerable basic-ftp versions can hang in connect() while memory and CPU usage grow, leading to process-level denial of service, container OOM kills, worker restarts, and queue backlog.
Affected Products
- basic-ftp Node.js library versions prior to 5.3.1
- Node.js applications that programmatically connect to attacker-reachable FTP endpoints
- Containerized workers performing automated FTP transfers
Discovery Timeline
- 2026-05-12 - CVE-2026-44240 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-44240
Vulnerability Analysis
The basic-ftp library parses FTP control-channel responses according to RFC 959, which permits multiline responses framed by a leading code and a hyphen, terminated by the same code followed by a space. The client accumulates incoming bytes into the internal FtpContext._partialResponse buffer and reparses the buffer each time additional data arrives. The parser does not enforce a ceiling on this buffer or on the number of reparse iterations.
A hostile server exploits this by sending a banner that opens a multiline response but never sends the terminating line. Each new chunk extends _partialResponse, and the client reparses the entire accumulated content. The result is quadratic work over a continuously growing buffer, combined with unbounded memory allocation.
Root Cause
The root cause is missing bounds enforcement during stream-based protocol parsing. The library trusts the server to eventually terminate multiline responses and does not cap control-channel response size, total bytes received, or parse-loop iterations during a single response sequence.
Attack Vector
Exploitation requires only that a vulnerable client initiate an FTP connection to a server controlled by the attacker. No authentication is required because the malicious payload is delivered in the pre-authentication banner. Any service that auto-connects to user-supplied or third-party FTP endpoints, such as ingestion pipelines, mirror jobs, or SaaS integrations, exposes the attack surface to the network.
The vulnerability manifests in the multiline response accumulator within FtpContext. See the GitHub Security Advisory for technical details on the patched parser logic.
Detection Methods for CVE-2026-44240
Indicators of Compromise
- Node.js processes consuming steadily increasing memory while stalled inside Client.connect() against an FTP host
- Container restarts with OOMKilled status correlated to outbound FTP connections
- Long-running TCP sessions to port 21 with no successful authentication and continuous inbound bytes
Detection Strategies
- Inventory dependencies for basic-ftp versions below 5.3.1 using npm ls basic-ftp or software composition analysis tooling
- Monitor Node.js worker resident set size (RSS) growth during FTP connection establishment phases
- Alert on FTP control-channel sessions where bytes received before authentication exceed a reasonable banner size threshold, such as 8 KB
Monitoring Recommendations
- Track CPU saturation and memory growth on workers that initiate outbound FTP traffic
- Log FTP connection durations and flag sessions stuck in the pre-authentication state beyond a configured timeout
- Correlate egress connections to port 21 with downstream service degradation signals such as queue depth and worker restart counts
How to Mitigate CVE-2026-44240
Immediate Actions Required
- Upgrade basic-ftp to version 5.3.1 or later across all Node.js applications and container images
- Audit application code that calls Client.connect() with user-supplied or third-party hostnames
- Restrict outbound FTP connectivity from worker fleets to an allowlist of trusted servers
Patch Information
The maintainer fixed this vulnerability in basic-ftp version 5.3.1 by enforcing bounds on control-channel response accumulation. Upgrade using npm install basic-ftp@^5.3.1 and rebuild affected container images. Review the GitHub Security Advisory GHSA-rpmf-866q-6p89 for the full patch description.
Workarounds
- Wrap Client.connect() calls in a strict timeout and abort connections that do not complete authentication within a small window
- Constrain process memory using container limits and Node.js --max-old-space-size to bound blast radius
- Validate FTP target hostnames against an allowlist before initiating connections
# Configuration example: upgrade and pin the fixed version
npm install basic-ftp@^5.3.1
npm ls basic-ftp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
